7 Cybersecurity Risks for 2014 February 5, 2014Posted by Ishmael Chibvuri in I.T Risk Management, Internal Audit, Risk Management.
add a comment
7 Cybersecurity Risks for 2014
With each new year, comes a new round of cybersecurity risks.
To help businesses best prepare for the year ahead, risk mitigation and response solutions firm Kroll has identified seven trends that indicate a changing tide in cyber standards. These changes will require organizations to take stronger actions and safeguards to protect against reputational, financial and legal risks.
“Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion,” said Tim Ryan, a Kroll managing director and Cyber Investigations practice leader. “Without the right tools and policies in place beforehand, they find themselves suddenly under intense pressure to investigate, track and analyze events.”
Kroll predicts that the new cybersecurity issues for 2014 will include:
National Institute of Standards and Technology (NIST) and similar security frameworks will become the de facto standards of best practices for all companies: Cybersecurity strategies largely designed for companies that were part of the “critical infrastructure” will become more of an expectation for everyone, from conducting an effective risk assessment to implementing sound cybersecurity practices and platforms. Organizations that don’t follow suit may find themselves subject to shareholder lawsuits, actions by regulators and other legal repercussions.
Alan Brill, senior managing director at Kroll, said this trend will move the United States in the direction of the EU, where there is a greater recognition of privacy as a right.
“As new laws evolve that reflect the NIST guidelines and look more like the EU privacy directive, some U.S. companies will find themselves ill-prepared to effectively respond to the regulations,” Brill said. “To minimize their risk, organizations will have to get smart on these standards and make strategic business decisions that give clients and customers confidence that their information is protected.”
The data supply chain will pose continuing challenges to even the most sophisticated enterprises: It is not unusual for companies to store or process the data they collect by using third parties. However, the security that these third parties use to safeguard their client’s data is frequently not understood by businesses that hire them until there is a breach. Companies will need to vet their subcontractors closely and get specific as to the technical and legal roles and responsibilities of these subcontractors in the event of a breach.
“Companies should know who they are giving their data to and how it is being protected,” Ryan said. “This requires technical, procedural and legal reviews.”
The malicious insider remains a serious threat, but will become more visible: Whether it was Shakespeare’s Caesar or America’s Benedict Arnold, people have long known the pain of betrayal by those they trust. Information technology simply made the betrayer’s job easier. In 2014, a significant number — if not almost half — of data breaches will come at the hands of people on the inside. However, as the federal government and individual states add muscle to privacy breach notification laws and enforcement regimes, these hidden insider attacks will become more widely known.
Ryan said the insider threat, which often goes unreported, is insidious and complex.
“Thwarting it requires collaboration by general counsel, information security and human resources,” he said. “SEC breach disclosure of ‘material losses’ may be the model for rules requiring a company to be more transparent and answerable for allowing bad actors to go unpunished.”
Corporate board audit committees will take a greater interest in cybersecurity risks and the organization’s plans for addressing them: With more and more data breaches — from theft of trade secrets to loss of customer information — in the headlines, corporate audit committees are beginning to focus on the connection between cybersecurity and an organization’s financial well-being. As such, these committees will expand their attention beyond the financial audit process to also include the organization’s strategic plans for protecting non-public information. They will also look at risk-mitigation plans for responding to a possible breach.
“As corporate boards carry out their fiduciary responsibilities, they must also protect the company from possible shareholder lawsuits that allege the company’s cybersecurity wasn’t at a level that could be reasonably viewed to be ‘commercially reasonable’ and that incident response plans weren’t in place to mitigate the risk,” Brill said. “The challenge they face is determining what is a reasonable level of security and response, and who should make that call. Is it their IT team, an industry expert, an independent third party?”
Sophisticated tools will enable smart companies to quickly uncover data breach details and react faster: Company leaders realize that even the best firewalls and intrusion detection systems cannot stop all attacks. But technological progress that occurred over the last 12 months will enable companies to unravel events and see with near–real-time clarity what’s happened to their data and how much damage has been done.
Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion, Ryan said. Without the right tools and policies in place beforehand, they find themselves suddenly under intense pressure to investigate, track and analyze events.
“We’ve seen a dramatic improvement in response technology over the last year,” Ryan said. “Companies have never had a better opportunity to enhance their existing protocols with a methodology that can mean an informed and timely response.”
New standards related to breach remediation are gaining traction and will have a greater impact on corporate data breach response: Credit monitoring will no longer be the gold standard in breach remediation in 2014, as lawmakers, consumer advocates and the public at large continue to raise questions about the relevancy and thoroughness of this as a stand-alone solution. These parties will demand a more effective alternative. While no legal guidelines currently exist for consumer remediation, the FTC and states like California and Illinois are already offering guidance that suggests a risk-based approach to consumer remediation will be the way of the future.
“That’s not to say that credit monitoring is useless, because it’s a valuable tool when it aligns with the type of data exposed,” Brill said. “Rather, companies will need to gain a better understanding of their actual breach risks, how the breach could actually affect their customers, and the best way to remedy those specific risks and provide better protection to the affected consumers.”
As cloud and BYOD adoption continues to accelerate, implementing policies and managing technologies will require greater accountability: The development and evolution of cloud services and BYOD have moved at a whirlwind pace, leaving IT departments scrambling to get out in front of the technologies and employee usage. In 2014, IT leaders will need to work closely with senior leadership and legal counsel to adapt corporate policies in a way that addresses changing legal risks, while effectively meeting the needs of the organization.
Brill said that up until now, cloud and BYOD adoption has been like the Wild West — uncharted, unregulated and facing few restrictions.
“While it’s implausible to anticipate every possible risk presented by the use of the cloud and BYOD, companies that have integrated these technologies into their corporate policies, IT security and risk-management plans will be much better prepared to fulfill their legal obligations,” Brill said. “Organizations must realize that even if they don’t want to deal with this, they’re not going to have much choice.”
Originally published on BusinessNewsDaily
Techies ride Zim’s internet wave October 25, 2013Posted by Ishmael Chibvuri in I.T Risk Management.
add a comment
On the benches outside the pub overlooking the cricket greens at Harare Sports Club, they hunch over laptops, selling ideas as diverse as how to sell cattle and how to help urban dwellers cook traditional meals.
It is a long way from Silicon Valley in California, but, amid a boom in social media use, Zimbabwe is seeing the emergence of a fast-growing start-up scene.
A few years ago Limbikani Makani was a bored IT manager at a nongovernmental organisation. He quit his job and set up TechZim, a tech news website that is hosting a “start-up challenge”, attended by dozens of tech developers.
The interest has grown since the first event, which was held two years ago, reflecting the growing number of developers in Zimbabwe.
“We have created a launch pad for these entrepreneurs, enabling them to accelerate their start-ups to a level where they can make revenue,” Makani says.
Teledensity, the ratio of telephones to the population, stood at 91% in February, a big jump from 14% in 2008. Over the same period, mobile access has risen from about 11% to nearly 100%.
Access to the internet
In 2000, only 0.4% of Zimbabweans had access to the internet. Now the figure has risen to 40%, according to official data.
Usage is also rising as access grows. Opera, one of the world’s largest mobile browsers, says Zimbabwe is one of its fastest growing markets, and had the highest numbers of “page views” in Africa in 2011.
And last week, the International Telecommunications Union named Zimbabwe among 12 “most dynamic countries” in the world that have recorded above-average growth in information and communications technology over the past year.
In the boom, developers are stirring; the numbers are growing, and so is the range of their ideas.
Last year Allister Banks set up RLMS, or the Remote Livestock Marketing System, a start-up that allows trade of livestock online.
“We have traded close to $4-million so far,” Banks says.
Paying lobola via RLMS
On his website Banks invites users abroad to pay their lobola cattle via RLMS. He has a selection of cattle on display on the site, from which, he says, a prospective groom can choose.
“If there is no space in the in-laws’ residence for the cattle, don’t worry. Each animal you choose and buy can be ear tagged, branded, entered into a national database, kept at one of our partner farms, looked after.”
And then there is ZimboKitchen, a service that delivers tutorials such as “how to make plain sadza”, and gives recipes for other popular Zimbabwean dishes such as beef trotters, or muboora, pumpkin leaves stewed in peanut butter.
There is also TestLabs, a service that provides local high school students and teachers with relevant exam revision tools.
Some of the websites and apps are already popular, but the challenge is to help developers make money.
Investors are conservative and hesitate to gamble on start-ups, most of which are run by “green, fresh-out-of-college dreamers”, as one bank chief executive described them.
For now, most of the apps are free to download. Developers themselves have little knowledge about how to turn their ideas into dollars, a gap the likes of Makani are trying to bridge.
“The two sides don’t speak the same language,” he says.
The techies also struggle to be taken seriously.
“Our society demands that you have an actual job,” developer Pardon Muza says, making finger quotes to show his annoyance.
Muza is one of many developers building an online payments site.
“You have to put up with being asked when you’ll get a proper job, wear a tie and work normal hours and stuff.”
But Makani says developers are now increasingly focusing on building services that don’t just sound cool, but bring solutions that can earn them money.
“Initially, we focused on pure innovation in terms of technology and utility, but this has evolved into a more practical approach where strong market potential overrides technology that is used just for the sake of using cool technology,” Makani says.
How to Unlock the Keypad on a BlackBerry Curve February 27, 2013Posted by Ishmael Chibvuri in I.T Risk Management, Latest Articles!!!.
add a comment
By an eHow Contributing Writer
Many people depend on their Blackberrys to store
information, access media via the Internet, and stay in touch
with friends and family. With so much information on these
devices, security measures have been put in place to
protect the media. One of these devices is a “Lock/Unlock”
feature which prevents those who don’t know the
password from accessing the keypad. Here is a simple
method for unlocking the keypad on your Blackberry Curve.
Things You’ll Need:
Computer with Internet access (optional)
Accessing the Blackberry Curve Keypad
1. Access the Blackberry’s main menu.
2. Enter the password in the “Lock/Unlock” screen. The
password you enter is the same one chosen in the inital
program setup of your Blackberry Curve.
3. Click “Enter” after you’ve inputed the code, and your
Curve keypad should now be unlocked.
Unlocking the Blackberry Curve Keypad Without a
4. Enter a random code into the “Lock/Unlock” screen on
your Blackberry Curve. This is to be done if you can’t
remember and/or don’t have a record of your Curve’s
password. A message will appear that reads “Incorrect
5. Repeat the process, each time entering another
incorrect password. After the tenth incorrect
password is entered the internal computer will wipe the
Blackberry Curve handset of all its information and
unlock the keypad.
6. Clear out of the “Lock/Unlock” screen, and you are now
ready to use your Curve. However, the information you
had stored on the Blackberry will now be erased. An
easy way to safeguard against lost Blackberry
information is to backup all files on your PC (Blackberrys
are only compatible with the Windows operating
system) via the “Desktop Manager” program on your
Tips & Warnings
How to unlock the Keypad of Blackberry 8310 Curve
Password Security, How Does It Work? February 27, 2011Posted by Ishmael Chibvuri in I.T Risk Management.
add a comment
Don’t share credentials between your accounts, especially if security is your business.
I thought it was silly of Gawker Media to taunt world-plus-dog to test its IT security, only to be caught napping last year when its systems were compromised. But when your whole business is IT security, it’s even more embarrassing to be caught reenacting the tale of the cobbler’s children.
In that story, the cobbler was so busy making shoes for the village that his own children had to run around barefoot. This is—after being updated for the 21st century—pretty much what happened to security consultancy HBGary and its subsidiary HBGary Federal. From what I understand, one or more of the company’s executives thought that it was a good idea to use the same password for Twitter, LinkedIn and the firm’s content-management system. That became a problem after HBGary Federal’s CEO Aaron Barr decided that he was going to try to infiltrate the hacktivists collectively known as “Anonymous.” He was successful in doing so, but after revealing himself, apparently thought that his company was immune to retaliation.
But Barr’s sloppiness with passwords gave his enemies enough of a toehold to allow them to break into the consultancy’s e-mail server in early February and capture about 50,000 documents and messages. For the last few weeks, the two firms have been the butt of jokes, especially after HBGary posted a “pity me” sign in place of its booth at the RSA Conference in San Francisco.
Here’s the thing that makes this situation even more amusing than the Gawker debacle: HBGary was soliciting clients by letting them believe that its team knew better than to reuse passwords among key systems. (I’m sure that wasn’t actually in the pitch, but it was one of those things that you assume is there in much the same way that one assumes that a LAN uses Ethernet.) On top of that, HBGary had offered its services to Bank of America as experts in fighting back against WikiLeaks and in turn, Anonymous. This is the Internet’s equivalent of waving a red cape in front of a bull; do it enough, and you’re likely to be gored.
More likely than not, from some of the e-mail that I’ve seen that passed between Barr and one of his top coders, arrogance played a part in the debacle. The problem with the “can’t touch this” attitude is that it’s only valid while the people who want to take you down have better things to do.
I’m sure that the HBGary executives were thinking the same thing most of us do: “I’m kind of busy right now, and I’ll change it to something stronger when I have a little more time.” I’ve done that more times than I care to think about, as I noted in December when the Gawker story broke. Since then, I’ve become a little bit better at resisting the temptation to slap a quick and dirty password on an account. But I’m still doing it from time to time, as I realized the last time I ordered a cable from my new favorite vendor for such things.
I’m convinced that practicing password security in the fashion that many security experts say we should is just too much bother for all but a handful of people. “Easy to remember, hard to forget” only gets one so far if the password has to be rotated every month or two. Maybe we really are better off carrying around a piece of paper full of random characters with a few real passwords embedded in the randomness. This “poor man’s steganography” has to be a better approach to password security than what we have today.
IT Security & Network Security News February 27, 2011Posted by Ishmael Chibvuri in I.T Risk Management.
add a comment
What does it take to get attention for IT initiatives in today’s enterprise? In most cases, according to Symantec Senior Director Jennie Grimes, it means making a compelling business case—and getting the right information to the right people in the right language.
IT risk management initiatives are definitely worthy of executive attention. Our economy is increasingly dependent on the Internet and IT systems, making the risks in these systems far more visible and significant than ever. But, it’s a discipline with a myriad of stakeholders: CIOs, CISOs, enterprise risk management teams, compliance and regulation staff, and internal and external auditors.
Step #1: Choose your words wisely
For example, rather than talking about a “zero day threat,” consider simulating the impact of a potential incident in terms of potential business loss. Instead of talking about RTOs and RPOs, speak in terms of lost revenue and customers during an outage. Instead of highlighting unimplemented ISO controls, speak about the lost effectiveness of employees who need to share information both inside and outside the firewall. It also doesn’t hurt to point out the impact on productivity when employees can’t effectively share information effectively.
Step #2: Use a High-Medium-Low spectrum of potential business loss
Step #3: Use headlines to your benefit
Step #4: Move your message up the chain (and sideways, too)
Step #5: Identify your milestones
For example, starting with a proof of concept for a content filtering project will have much more value if users from audit, legal and a line of business are involved in choosing terms to flag, track and quarantine. A security incident reporting process may get more enthusiastic response if users understand that increasing their awareness helps save corporate dollars and image.
IT risk management will become increasingly important as key organizational stakeholders begin to see the importance of an ongoing program. In the mean time, IT risk professionals can colleagues and establish a baseline program by using the right language and the right information to garner support internally.
Jennie Grimes is a senior director for Symantec’s IT Risk Management Program office.